<html>
<head><meta charset="utf-8"><title>context for crate rename advisories · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html">context for crate rename advisories</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="227003882"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227003882" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> jessa0 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227003882">(Feb 19 2021 at 18:08)</a>:</h4>
<p>Hey there! I was browsing recent <a href="https://rustsec.org/advisories/">RustSec advisories</a> and noticed a couple "crate rename" advisories, e.g. <a href="https://rustsec.org/advisories/RUSTSEC-2021-0025.html">RUSTSEC-2021-0025</a>. Please correct me if I'm wrong, but I am guessing the reason these advisories exist is to prevent dependency confusion attacks as was discussed <a href="https://users.rust-lang.org/t/dependency-confusion-attack-may-be-applicable-to-alternative-registries/55389">here</a>. If that's the case, I'd suggest adding a sentence or two to these types of advisories about why they exist and what a user of these crates can do about it.</p>



<a name="227004388"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227004388" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> jessa0 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227004388">(Feb 19 2021 at 18:12)</a>:</h4>
<p>The thread about dependency confusion I linked to isn't exactly the same issue as taking over the old name of a renamed crate, but maybe it'd still be called "dependency confusion".</p>



<a name="227014561"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227014561" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227014561">(Feb 19 2021 at 19:24)</a>:</h4>
<p>you don't think they're actionable, or somehow confusing?</p>



<a name="227014594"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227014594" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227014594">(Feb 19 2021 at 19:24)</a>:</h4>
<p>they all include the new name... so the action is to switch to the new name</p>



<a name="227014664"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227014664" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227014664">(Feb 19 2021 at 19:24)</a>:</h4>
<p>the other security relevant thing is the old name becomes obsolete, so security advisories filed against the new name won't reflect on the old one</p>



<a name="227014687"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227014687" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227014687">(Feb 19 2021 at 19:25)</a>:</h4>
<p>even if it's the same codebase</p>



<a name="227043468"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227043468" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> jessa0 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227043468">(Feb 19 2021 at 23:03)</a>:</h4>
<p>Well, advisories applicable to versions of the crate released under the old name should still be applied to that name, no?</p>



<a name="227043558"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227043558" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> jessa0 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227043558">(Feb 19 2021 at 23:04)</a>:</h4>
<p>I had assumed these advisories were to prevent projects from continuing to use the old name while it could have been reclaimed by a different owner.</p>



<a name="227043669"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227043669" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> jessa0 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227043669">(Feb 19 2021 at 23:05)</a>:</h4>
<p>It might help to spell out the reasons / actions even if they seem obvious, because I was left wondering what the ramifications were.</p>



<a name="227099189"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227099189" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227099189">(Feb 20 2021 at 15:51)</a>:</h4>
<p>we don't have first class support for renamed crates, although that would be an interesting feature</p>



<a name="227099295"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227099295" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227099295">(Feb 20 2021 at 15:53)</a>:</h4>
<p>perhaps we could add a new informational advisory type for renamed crates, with structured information about the new name</p>



<a name="227099309"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227099309" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227099309">(Feb 20 2021 at 15:53)</a>:</h4>
<p>then at least it could say "this advisory might apply to this older crate name"</p>



<a name="227102666"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227102666" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227102666">(Feb 20 2021 at 16:37)</a>:</h4>
<p>I'm not thrilled about first-class renaming support. I'd prefer to keep complexity low to make the database easy to integrate into external tooling.</p>



<a name="227102696"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227102696" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227102696">(Feb 20 2021 at 16:38)</a>:</h4>
<p>However, I agree we could elaborate more on the "unmaintained" status to make it more actionable. And define more clear criteria for it, too.</p>



<a name="227111053"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227111053" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227111053">(Feb 20 2021 at 19:07)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> I'm not suggesting it do anymore than at least warn for older (unmaintained) dependencies if there are vulns flagged for the new name</p>



<a name="227112335"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227112335" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> jessa0 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227112335">(Feb 20 2021 at 19:30)</a>:</h4>
<p>Yeah, IMO the rename advisory suffices, but with the addition of some advice like "Upgrade to the new name and check for further advisories."</p>



<a name="227124006"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227124006" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227124006">(Feb 20 2021 at 22:39)</a>:</h4>
<p>everything else aside, I think tracking the rename information in some structured manner is a good idea</p>



<a name="227124007"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227124007" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227124007">(Feb 20 2021 at 22:39)</a>:</h4>
<p>it's come up a lot</p>



<a name="227174775"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227174775" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227174775">(Feb 21 2021 at 15:34)</a>:</h4>
<p>Perhaps <a href="http://crates.io">crates.io</a> should track that directly instead of an external database?</p>



<a name="227304115"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227304115" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227304115">(Feb 22 2021 at 17:23)</a>:</h4>
<p>I've seen a few crates copied the buggy version of <code>std::String::retain()</code> and <code>smallvec::insert_many()</code>. Considering that a copy-pasted bug has structural similarities with a renamed crate (the same bug under different crate names), should they be tracked in the same way?</p>



<a name="227351337"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/context%20for%20crate%20rename%20advisories/near/227351337" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/context.20for.20crate.20rename.20advisories.html#227351337">(Feb 22 2021 at 22:37)</a>:</h4>
<p>seems tricky</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>